Networks typically require users to log on, that is give usernames and passwords to gain access. Based on the username the network may decide on a level of access. Local Area Networks are typically connected to the outside world and often have a firewall to protect the perimeter of the LAN from external intrusions. The firewall may permit users to log in from outside the LAN. Such users are hereinafter referred to as external users, by contrast with internal users, whose connections are from within the perimeter of the LAN. The firewall may apply restrictions to such external users, or may not allow them at all, and the firewall may also monitor and control e-mail, web-interaction and the like. Typically, in the case of the external user, the firewall may check the username at the periphery and decide what access level to provide. The firewall may specify particular machines on the LAN to which the externally connecting user is permitted access, or it may provide general access, but once access to a machine is granted, the access is unrestricted. The firewall does not monitor, validate or in any other way consider actual usage, except in the case of widely known protocols, as discussed below.
Today, an organization's information systems are often prime targets for vandalism and theft, and organizations are especially concerned about the activities performed by external users. Loss or corruption of a database can be catastrophic for an organization, and information in the database can be of use to rivals. A database that includes customers' credit card numbers, or staff bank account numbers, can be of great interest to thieves. Currently, external users are able to log in, and the resulting access connection is assigned use rights associated with the logged in user. On the one hand, the organization wishes to allow staff to be able to work from home or have access to the LAN whilst traveling etc. yet at the same time free external access gives rise to threats of the kind described above. It is a goal of firewall technology to provide maximal levels of security for minimal levels of inconvenience, and one way of achieving this goal is to target access restrictions as closely as possible to the kind of activity which constitutes the threat, leaving non-threat bearing activity to continue unimpeded.
To reduce possible threats, organizations are therefore moving to implement application specific security that can monitor the actual activity of external users and block activity that is suspicious, thereby to protect against intrusion from outside the LAN that is application specific. Software packages that provide data use surveillance already exist on the market. However, the existing packages are restricted to well known and standardized protocols such as HTTP, SMTP and FTP. These packages are able to identify the use of the particular protocol and use their knowledge of the protocol to monitor and control the content. Databases however, do not use any single recognized protocol. Indeed most database packages are not accompanied by any published protocol and most database versions, even from the same source, include variations in the protocol used. There is thus no application specific security package that is currently aimed at databases, and it is not currently possible to carry out content based monitoring and control of database queries or results.